Threats, Attacks, and Vulnerabilities (1)

Question 1

John is analyzing strange behavior on computers in his network. He believes there is malware on the machines. The symptoms include strange behavior that persists, even if he boots the machine to a Linux Live CD. What is the most likely cause?

Ransomware

Boot sector virus

Rootkit

Answer 1

Boot sector virus

The correct answer is a boot sector virus, which is one that will affect the boot sector of the hard drive. Thus, what operating system you boot to is irrelevant

Question 2

Ahmed is a sales manager with a major insurance company. He has received an email that is encouraging him to click on a link and fill out a survey. He is suspicious of the email, but it does mention a major insurance association, and that makes him think it might be legitimate. Which of the following best describes this attack?

Phishing

Social engineering

Spear phishing

Answer 2

Spear phishing

The correct answer is spear phishing. Spear phishing is targeted to a specific group, in this case insurance professionals. Attackers can find individuals from public sources to target. This is known as open source intelligence

Question 3

You are a security administrator for a medium-sized bank. You have discovered a piece of software on your bank’s database server that is not supposed to be there. It appears that the software will begin deleting database files if a specific employee is terminated. What best describes this?

Worm

Logic bomb

Trojan horse

Answer 3

Logic bomb

A logic bomb is malware that performs its malicious activity when some condition is met. Option A is incorrect because a worm is malware that self-propagates

Question 4

You are responsible for incident response at Acme bank. The Acme bank website has been attacked. The attacker used the login screen, but rather than enter login credentials, he or she entered some odd text: ‘ or ‘1’ = ‘1. What is the best description for this attack?

Cross-site scripting

Cross-site request forgery

SQL injection

Answer 4

SQL injection

The text shown is the classic example of a basic SQL injection to log in to a site

Question 5

Juanita is a network administrator for a small accounting firm. The users on her network are complaining of slow connectivity. When she examines the firewall logs, she observes a large number of half-open connections. What best describes this attack?

DDoS

SYN flood

Buffer overflow

Answer 5

SYN flood

Half-open connections are the hallmark of a SYN flood

Question 6

Frank is deeply concerned about attacks to his company’s e-commerce server. He is particularly worried about cross-site scripting and SQL injection. Which of the following would best defend against these two specific attacks?

Encrypted web traffic

Filtering user input

A firewall

Answer 6

Filtering user input

The primary and best way to defend against the attacks mentioned is filtering user input

Question 7

You are responsible for network security at Acme Company. Users have been reporting that personal data is being stolen when using the wireless network. They all insist they only connect to the corporate wireless access point (WAP). However, logs for the WAP show that these users have not connected to it. Which of the following could best explain this situation?

Session hijacking

Clickjacking

Rogue access point

Answer 7

Rogue access point

If users have been connecting but the WAP does not show them connecting, then they have been connecting to a rogue access point. This could be the cause of an architecture and design weakness such as a network without segmentation and control of devices connecting to the network

Question 8

What type of attack depends on the attacker entering JavaScript into a text area that is intended for users to enter text that will be viewed by other users?

SQL injection

Clickjacking

Cross-site scripting

Answer 8

Cross-site scripting

Cross-site scripting involves entering a script into text areas that other users will view

Question 9

A sales manager at your company is complaining about slow performance on his computer. When you thoroughly investigate the issue, you find spyware on his computer. He insists that the only thing he has downloaded recently was a freeware stock trading application. What would best explain this situation?

Logic bomb

Trojan horse

Rootkit

Answer 9

Trojan horse

A Trojan horse wraps a malicious program to a legitimate program. When the user downloads and installs the legitimate program, they get the malware

Question 10

Your company outsourced development of an accounting application to a local programming firm. After three months of using the product, one of your accountants accidently discovers a way to log in and bypass all security and authentication. What best describes this?

Logic bomb

Trojan horse

Backdoor

Answer 10

Backdoor

A backdoor is a method for bypassing normal security and directly accessing the system

Question 11

Teresa is the security manager for a mid-sized insurance company. She receives a call from law enforcement, telling her that some computers on her network participated in a massive denial-of-service (DoS) attack. Teresa is certain that none of the employees at her company would be involved in a cybercrime. What would best explain this scenario?

It is a result of social engineering.

The machines all have backdoors.

The machines are bots.

Answer 11

The machines are bots.

The machines in her network are being used as bots, and the users are not aware that they are part of a DDoS attack

Question 12

Mike is a network administrator with a small financial services company. He has received a popup window that states his files are now encrypted and he must pay .5 bitcoins to get them decrypted. He tries to check the files in question, but their extensions have changed, and he cannot open them. What best describes this situation?

Mike’s machine has a rootkit.

Mike’s machine has ransomware.

Mike’s machine has a logic bomb.

Answer 12

Mike’s machine has ransomware.

This is a classic example of ransomware

Question 13

Terrance is examining logs for the company e-commerce web server. He discovers a number of redirects that cannot be explained. After carefully examining the website, he finds some attacker performed a watering hole attack by placing JavaScript in the website and is redirecting users to a phishing website. Which of the following techniques would be best at preventing this in the future?

An active IDS/IPS

Checking buffer boundaries

Checking user input

Answer 13

Checking user input

The primary method for stopping both cross-site scripting and SQL injection is to check or filter user input

Question 14

What type of attack is based on sending more data to a target variable than the data can actually hold?

Bluesnarfing

Buffer overflow

Bluejacking

Answer 14

Buffer overflow

This is the description of a buffer overflow

Question 15

You have been asked to test your company network for security issues. The specific test you are conducting involves primarily using automated and semiautomated tools to look for known vulnerabilities with the various systems on your network. Which of the following best describes this type of test?

Vulnerability scan

Penetration test

Security audit

Answer 15

Vulnerability scan

Vulnerability scan uses automated tools such as Nessus and Microsoft Baseline Security Analyzer to find known vulnerabilities

Question 16

Jared discovers that attackers have breached his WiFi network. They have gained access via the wireless access point (WAP) administrative panel, and have logged on with the credentials the WAP shipped with. What best describes this issue?

Default configuration

Race conditions

Failure to patch

Answer 16

Default configuration

Credentials the WAP shipped with are an example of default configuration

Question 17

Joanne is concerned about social engineering. She is particularly concerned that this technique could be used by an attacker to obtain information about the network, including possibly even passwords. What countermeasure would be most effective in combating social engineering?

SPI firewall

An IPS

User training

Answer 17

User training

Social engineering can only be countered by user training and education

Question 18

You are responsible for incident response at a mid-sized bank. You have discovered that someone was able to successfully breach your network and steal data from your database server. All servers are configured to forward logs to a central logging server. However, when you examine that central log, there are no entries after 2:13 a.m. two days ago. You check the servers, and they are sending logs to the right server, but they are not getting there. Which of the following would be most likely to explain this?

Your log server has a backdoor.

Your log server has been hit with a buffer overflow attack.

Your switches have been hit with ARP poisoning.

Answer 18

Your switches have been hit with ARP poisoning.

ARP poisoning is used to change the ARP tables routing data to a different MAC address, which would explain why there were no entries

Question 19

Coleen is the web security administrator for an online auction website. A small number of users are complaining that when they visit the website and log in, they are told the service is down and to try again later. Coleen checks and she can visit the site without any problem, even from computers outside the network. She also checks the web server log and there is no record of those users ever connecting. Which of the following might best explain this?

Typosquatting

SQL injection

Cross-site scripting

Answer 19

Typosquatting

From the description it appears that they are not logging into the real web server but rather a fake server. That indicates typosquatting: have a URL that is named very similarly to a real site so that when users mistype the real site’s URL they will go to the fake site

Question 20

Mahmoud is responsible for managing security at a large university. He has just performed a threat analysis for the network, and based on past incidents and studies of similar networks, he has determined that the most prevalent threat to his network is low-skilled attackers who wish to breach the system, simply to prove they can or for some low-level crime, such as changing a grade. Which term best describes this type of attacker?

Amateur

Insider

Script kiddie

Answer 20

Script kiddie

The term for low-skilled hackers is script kiddie

Question 21

Which of the following best describes a collection of computers that have been compromised and are being controlled from one central point?

Zombienet

Botnet

Nullnet

Answer 21

Botnet

The term for this is botnet, usually spelled as one word

Question 22

John is conducting a penetration test of a client’s network. He is currently gathering information from sources such as archive.org, netcraft.com, social media, and information websites. What best describes this stage?

Active reconnaissance

Passive reconnaissance

Initial exploitation

Answer 22

Passive reconnaissance

Passive reconnaissance is any reconnaissance that is done without actually connecting to the target

Question 23

One of the salespeople in your company reports that his computer is behaving sluggishly. You check but don’t see any obvious malware. However, in his temp folder you find JPEGs that look like screenshots of his desktop. Which of the following is the most likely cause?

He is stealing data from the company.

There is a backdoor on his computer.

There is spyware on his computer.

Answer 23

There is spyware on his computer.

Some spyware takes screen captures of the system, and it is common for such spyware to hide them in the temp folder

Question 24

What type of attack is based on entering fake entries into a target networks domain name server?

DNS poisoning

ARP poisoning

Bluesnarfing

Answer 24

DNS poisoning

This is an exact description of DNS poisoning or domain hijacking

Question 25

Frank has been asked to conduct a penetration test of a small bookkeeping firm. For the test, he has only been given the company name, the domain name for their website, and the IP address of their gateway router. What best describes this type of test?

White-box test

External test

Black-box test

Answer 25

Black-box test

A black-box test involves absolutely minimal information

Question 26

You work for a security company that performs penetration testing for clients. You are conducting a test of an e-commerce company. You discover that after compromising the web server, you can use the web server to launch a second attack into the company’s internal network. What best describes this?

Internal attack

White-box testing

A pivot

Answer 26

A pivot

A pivot occurs when you exploit one machine and use that as a basis to attack other systems

Question 27

While investigating a malware outbreak on your company network, you discover something very odd. There is a file that has the same name as a Windows system DLL, and even has the same API interface, but handles input very differently, in a manner to help compromise the system, and it appears that applications have been attaching to this file, rather than the real system DLL. What best describes this?

Shimming

Trojan horse

Backdoor

Answer 27

Shimming

Shimming is when the attacker places some malware between an application and some other file, and intercepts the communication to that file (usually to a library or system API)

Question 28

Your company has hired a penetration testing firm to test the network. For the test, you have given the company details on operating systems you use, applications you run, and network devices. What best describes this type of test?

White-box test

External test

Black-box test

Answer 28

White-box test

A white-box test involves providing extensive information, as described in this scenario

Question 29

Frank is a network administrator for a small college. He discovers that several machines on his network are infected with malware. That malware is sending a flood of packets to a target external to the network. What best describes this attack?

SYN flood

DDoS

Botnet

Answer 29

DDoS

His machines are part of a distributed denial-of-service attack

Question 30

John is a salesman for an automobile company. He recently downloaded a program from an unknown website, and now his client files have their file extensions changed, and he cannot open them. He has received a popup window that states his files are now encrypted and he must pay .5 bitcoins to get them decrypted. What has happened?

His machine has a rootkit.

His machine has a logic bomb.

His machine has ransomware.

Answer 30

His machine has ransomware.

This is a textbook example of how ransomware works